Re: Guest wireless restrictions

[Dewitt Latimer <dewittlatimer () GMAIL COM>]

I must admit, we're probably somewhat of an outlier when we decided to
throw caution (and CALEA) into the wind last year when we opened up guest
wireless for unauthenticated access.

1 year later, we've had no legal issues or abuse and our support calls have
gone down considerably. Yes, I know it's probably just a matter of time,
but in the mean time....we're clearly reaping the benefits.

Does anyone know how the Starbucks and McDonalds of the world manage the
risk associated with their open networks?

-d



---------------------------------------
Dewitt Latimer, Ph.D.
Chief Information Officer
Montana State University
dewitt () montana edu


On Mon, Apr 29, 2013 at 11:24 AM, randy <marchany () vt edu> wrote:

> The key to our guest wireless system is to assign the guests to a
> university "sponsor".  The sponsor has the ability to dictate the
> hours/days the guest can access the net.  We don't restrict protocol or
> bandwidth for guests as far as I know. The sponsor and the guest share
> responsibility for being good netizens.
>
> Our guest access FAQ page is at http://www.cns.vt.edu/data_guestFAQ.html.
>
> -Randy Marchany
> VA Tech IT Security Office & Lab
>
>
>
> On Mon, Apr 29, 2013 at 10:19 AM, David Curry <david.curry () newschool edu>wrote:
>
> > We're (still) in the process of thinking about how we want to split our
> > wireless network into two SSIDs, one for students/faculty/staff and one for
> > "guests" (in quotes because students and staff may be allowed to use it
> > too). We're thinking we want to do what a number of other schools have
> > done, and limit the "guest" SSID to a few protocols:
> >
> >    - ICMP
> >    - HTTP and HTTPS
> >    - POP and IMAP in their SSL flavors only (no plaintext)
> >    - SMTP in its SSL and TLS flavors only (no plaintext)
> >    - VPN (IPSec, PPTP, L2TP)
> >
> > which after Googling around a bit seems to be a pretty common set (some
> > also allow unencrypted POP/IMAP/SMTP, and others also allow various flavors
> > of chat/instant messaging).
> >
> > We'd also like (we think) to limit individual user bandwidth on the guest
> > wireless, partly to cut down on the damage a "misbehaving" client can
> > cause, and partly to encourage students/faculty/staff to move over to the
> > "secure" SSID. Googling around on this topic, I've been able to find lots
> > of schools doing this, but very few that document what their limits
> > actually are.
> >
> > So, two questions:
> >
> >    1. If you limit the protocols on your guest wireless, is there
> >    anything not in the list above that you've found it necessary to allow?
> >    2. If you limit the bandwidth (speed) on your guest wireless, what
> >    are your download/upload limits (speeds), and what does that allow/not
> >    allow (e.g., streaming audio/video).
> >
> > Thanks,
> >
> > --Dave
> >
> >
> > --
> >
> > *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY
> >
> > *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011
> >
> > +1 212 229-5300 x4728 • david.curry () newschool edu